WPA Cracker cracks WiFi passwords in the cloud

WPA Cracker is a WiFi security compromiser in the cloud, running on a high-performance cluster. Send them a dump of captured network traffic and $35, and they will try 136 million passwords in 40 minutes, tops (for $17, they'll run the same attack at half speed) -- the same crack would take five days on a "contemporary desktop PC." They also have an extended, 284 million word dictionary that you can run for $55 in 40 minutes. They'll also use the same process to crack the passwords on encrypted ZIP archives.

You're safe if your password isn't in any dictionary, including the special dictionaries used for password cracking (these dictionaries will try random words in combination, as well as common letter-number substitutions such as "1" for "i" and so on). The crack works on WPA and WPA2-locked networks.

Your best bet is a long, random string for a password -- 64 bits of random noise will probably foil something like this for a good time to come. But good luck reading the password aloud to your visiting friend when she needs to get her laptop online.

Questions about WPA Cracker (via Schneier)



    1. Or maybe you can make your password wicked long, like several pages of text. Then it won’t matter if the text itself is readable, so long as you’re not quoting anything well-known, like Hamlet’s soliloquy or anything like that.

      Perhaps when every password is guessable, no matter how cryptic, we’ll have to make them so long that they’re no longer memorizable, so then you’d have to carry your password around on a thumb drive, and transmit your password when needed. This, of course, kind of violates the first commandment of system security, which is to keep them in your head, not your pocket, but I would think an unidentified thumb drive with some .txt files on it would be no less secure than your car keys.

      1. Perhaps when every password is guessable, no matter how cryptic, we’ll have to make them so long that they’re no longer memorizable, so then you’d have to carry your password around on a thumb drive, and transmit your password when needed.

        If you’re doing that, something like an RSA SecurID token, which generates clock-based one-use passphrases, is probably a better option. (In the software-token form, it’s essentially as you describe, except instead of sending the actual secret, you send a hash based on it.)

  1. This is why you should be using a pass-phrase not a password. It’s going to be a long time before a dictionary attack can take on something like “cory is my hero” as your WPA security code, but it’s still easy to remember and tell to a guest.

    1. Why is that? That’s just a 15-character password. It may be easier for you to remember than a random string but to a computer it’s exactly the same as the millions of other 15-character passwords.

  2. hmmm… my network passphrase is “wordword123465″ in which the number string is based on my phone number. It’s different from all my other passwords but easy to remember. And I don’t really have any sensitve information stored on my laptop. (Queue telling down from another commenter about how my bank accounts and identity will be ripped off because I have a copy of my tax return on my HD in 3…2…1…)

    Another good password tactic I’ve found is using a phrase you can remember, but only the first and last letters of each word. “dtyuwtmebydtyuwtmeoh” would be an example.

  3. The two best recommendations I’ve seen are to use a misformed quote (i.e. “One small stpe for a man”) where the quote and the error are easy to remember, but the combination makes a dictionary attack infeasible, and to carry around a large written passward (27 characters etc) that has an easy to remember error or two in it (i.e. two characters transposed and the a space at the end) a la the Security Now podcast.

  4. There are passwords I need to remember, but wireless certainly isn’t one of them (and yes, I do have friends). 63 characters of randomness and KeePass FTW.

  5. Two things I have to bring up:
    1) Don’t use passwords, use passphrases.
    2) If we’re still talking about wifi, you don’t need to know your passphrase. You can generate a random (or pseudo-random) passphrase then copy and paste it onto all the necessary devices.

    My favorite trick for generating a passphrase is to take the nth letter of every word in a familiar phrase I’m unlikely to use in daily conversation and throw in some numbers and special characters for flavor.

    1. Definitely this. I like to take lyrics from a song, a line of poetry, or a prose quotation, and create strings from the nth letters of it (usually the first), replacing random letters with numbers and symbols in a non-consistent way. Sometimes I throw random symbols not in the source phrase, but that I can remember.

      It’s still not strictly random, letter frequencies in English being what they are. But it’s a lot harder to crack than a dictionary or semi-dictionary password. And it’s easy to remember — just sing the song, recite the poem or the quote to yourself, and you’re good to go.

      The trick is remembering a different one for each place you need a password/passphrase. I’ve resorted to a password-keeping program. Of course, that means my passwords are now only as secure as my computer. One does what one can. (And it’s better than keeping them written on paper or in a plaintext file, which I have seen otherwise intelligent, techy people do.)

      And less techy people? They’re still struggling with the idea that their computer login, Gmail account, Facebook account, and bank account are not all linked by the One Password To Rule Them All. It’s not just that they choose to use the same password everywhere — it’s that they don’t even grasp that they could use different ones. They just have a computer password, so it should work for all that computer stuff, right?

      The analogy of keys helps for many people. They grasp the concept that they have different keys to their home, car, office, toolshed. Once they understand that different computers and websites are actually different “places,” they grasp that they might want to use a different “lock and key” for each.

      Of course, it doesn’t stop them using obvious passwords. My husband works in IT and has stunned users who can’t remember their passwords by telling them “Try your dog’s name.” It invariably works, and they stare at him in terror. “How did you know? Are you psychic?”

      A list of the most common dog names would probably save even the time of a dictionary attack…

    1. now, see, if *I* ran a password generating site, all those generated passwords would be going straight in that dictionary.
      Just sayin’.

  6. “But good luck reading the password aloud to your visiting friend when she needs to get her laptop online. ”

    Alpha Bravo Charlie Delta Echo Foxtrot Golf Hotel Inigo Juliet Kilo Lima Mike November Oscar Papa Quebec Romeo Sierra Tango Uniform Victor Whisky X-ray Yankee Zulu Niner Zeh-ro.

    And for hexadecimal, one only needs the first six of the above.

  7. Joining a few words together is plenty secure enough to stop most of these rainbow attacks (for the moment at least).

    That’s why I use ‘letmein’.

    Hang on a sec… d’oh!

  8. you read the faq wrong:

    > You can run your job against half of our CPU cluster for $17 US, or you can run it against the entire cluster for $35 US. The half-mode will take at most 40 minutes…. the full-mode will take at most 20 minutes.

    So the $35 is for 20 minutes; the $17 is for 40.

    This is really rad.

    1. Haha Waylon, that reminds me. I see a medication doctor for my mental illness. One day, my ride forgot their keys in the office. Unfortunately, it was after 5PM and the door automatically locks.

      I banged on the door for a while. No one came, so I figured the hell with it, I might as well screw with the lock – at worst it would set off an alarm and someone would come let me in.

      First try: 1234. It worked. I had to tell my doctor that is really a bad idea for a passcode.

  9. Uh, all you people worrying about password strength didn’t read the “About Us” on their site:

    “WPA Cracker is a cloud cracking service for penetration testers and network auditors who need to check the security of WPA-PSK protected wireless networks.”

    So, it’s only for people testing or checking their own security. Whew! I can stick with using “password” on all my accounts!

  10. So…do you trust your credit card information to people whose raison d’etre is, frankly, theft? People who can’t be traced or identified?

    If they CAN be traced or identified, what’s to stop some righteous person from hacking into them and destroying their systems? Not like they don’t deserve it. Bastards.

    And yeah, I totally believe they’re just for penetration testers and so on. Just like the old Blueboy magazine was for women. It said so on the cover!

    1. >> And yeah, I totally believe they’re just for penetration testers and so on. Just like the old Blueboy magazine was for women. It said so on the cover!

      So, you’re saying that Blueboy magazine was also for penetration testers?

      1. LOL that’s beyond precious. While I certainly wish I’d thought of it, I bow in admiration!

  11. @Gilbert Wham I’ve used Steve Gibson’s site to generate random strings for quite awhile. If you’re a distrusting sort like me, you’ll copy / paste parts of the string around, and then just change a few charters. Keep it on a thumb drive (with a write only switch, natch) to share with your guests.

  12. Wait, why exactly do people put passwords on their WiFi routers? I think it’s more because router manufacturers have made this the default configuration. Personally I prefer the happy Marxist Utopian hellscape that existed a few years ago when you could always get on someone’s router named “linksys.”

  13. “Your best bet is a long, random string for a password”: Cory, that’s more than is necessary with WPA/WPA2.

    Despite this cracking site and some other dictionary tools and sites, WPA/WPA2’s hashing algorithm for turning a passphrase into a long hexadecimal key remains intact. Brute force is the only solution.

    In talking to Elcomsoft (the Russian firm that uses GPUs to crack keys, WPA and others), and other security researchers and crackers, it’s actually only necessary to have a key longer than 8 or 9 characters with no dictionary words present.

    When you hit 10 characters and use a password like “a89adf0!8_”, it’s impossible with current technology to recover that key.

    Several researchers have suggested that a memorable long phrase, a lyric from a song you like, for instance, with one bit of punctuation thrown in would take until the end of the universe to crack with known techniques.

    (Quantum computing might put the lie to all that.)

    Back in 2003, when I ran an article from a security researcher who exposed the “poor passphrase selection” weakness in WPA, he suggested that a 20-character password with no dictionary words would be vastly beyond breakability. Seven years later, crackers are up to maybe 9 characters.

  14. Or, you could install something like Tomato firmware on your router and use the Wireless filter with password.

    That way they have to spoof a designated MAC address before they can even access the password feature. They’ll most likely head to someone else’s router first.

  15. Wait, so, you can pay more for a larger password database and greater chance to crack it?

    Are you paying for a chance to crack it, or for the crack? If you’re paying them to crack it it seems ridiculous to pay for the more expensive one because if they fail then they haven’t lived up to their obligations and it should be their responsibility to make the matter right. If you’re paying for the chance then it seems ridiculous NOT to pay for the more expensive one since if the smaller database fails then that’s money wasted.

  16. Spatial patterns is a good way to have non-dictionary passwords that are easy to remember, some pattern on the keyboard that is easy to describe to visitors. Until someone gives you a belgian keyboard.

  17. The better special dictionaries used for password cracking will include a lot of spatial keyboard patterns.

  18. I’m not sure that 64 random characters is entirely necessary. It looks like they can only make 116,000 attempts per second; 280,000,000 in 40 minutes. This means that a 64 character password of random upper and lower case with numbers would take around 1,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000 years to fully brute force. (give or take the age of the universe, maths never was my strong point).

  19. My password? I bang on the keyboard, using letters, numbers and odd things like a semi-colon. Put it in a .txt file and put it on a USB thumb drive, for others to use.

  20. There is another on-line wpa cracking service http://www.recoverwpa.com – they charging after, only if password was found in the handshake.

    So you are paying for guaranteed password and not only for a chance of getting something.

Comments are closed.